Stored Cross-Site Scripting Vulnerability in Jenkins Dynamic Extended Choice Parameter Plugin by Jenkins
CVE-2022-36902

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Dynamic Extended Choice Parameter Plugin
Vendor: CVE Published:; 27 July 2022

Summary

The Jenkins Dynamic Extended Choice Parameter Plugin versions up to 1.0.1 contain a vulnerability that allows for stored cross-site scripting. This issue arises because the plugin does not properly escape multiple fields associated with Moded Extended Choice parameters. An attacker with Item/Configure permissions can exploit this vulnerability to execute arbitrary JavaScript in the context of the users interacting with the affected system, potentially leading to unauthorized actions and data exposure.

Affected Version(s)

Jenkins Dynamic Extended Choice Parameter Plugin <= 1.0.1

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/27/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 27, 2022
Vulnerability Reserved
Jul 27, 2022